User specific automatic data redirection system

ABSTRACT

A data redirection system for redirecting user&#39;s data based on a stored rule set. The redirection of data is performed by a redirection server, which receives the redirection rule sets for each user from an authentication and accounting server, and a database. Prior to using the system, users authenticate with the authentication and accounting server, and receive a network address. The authentication and accounting server retrieves the proper rule set for the user, and communicates the rule set and the user&#39;s address to the redirection server. The redirection server then implements the redirection rule set for the user&#39;s address. Rule sets are removed from the redirection server either when the user disconnects, or based on some predetermined event. New rule sets are added to the redirection server either when a user connects, or based on some predetermined event.

CROSS-REFERENCE TO RELATED APPLICATION(S)

This application is continuation of U.S. patent application Ser. No.10/919,214, filed on Aug. 16, 2004, which is a continuation of U.S.patent application Ser. No. 09/295,966, filed on Apr. 21, 1999, whichclaims the benefit of the filing date of U.S. Provisional applicationNo. 60/084,014, filed May 4, 1998, all of which are incorporated byreference as if set forth in full herein.

FIELD OF THE INVENTION

This invention relates to the field of Internet communications, moreparticularly, to a database system for use in dynamically redirectingand filtering Internet traffic.

BACKGROUND OF THE INVENTION

In prior art systems as shown in FIG. 1 when an Internet userestablishes a connection with an Internet Service Provider (ISP), theuser first makes a physical connection between their computer 100 and adial-up networking server 102, the user provides to the dial-upnetworking server their user ID and password. The dial-up networkingserver then passes the user ID and password, along with a temporaryInternet Protocol (IP) address for use by the user to the ISP'sauthentication and accounting server 104. A detailed description of theIP communications protocol is discussed in Internetworking with TCP/IP,3rd ed., Douglas Comer, Prentice Hall, 1995, which is fully incorporatedherein by reference. The authentication and accounting server, uponverification of the user ID and password using a database 106 would sendan authorization message to the dial-up networking server 102 to allowthe user to use the temporary IP address assigned to that user by thedial-up networking server and then logs the connection and assigned IPaddress. For the duration of that session, whenever the user would makea request to the Internet 110 via a gateway 108, the end user would beidentified by the temporarily assigned IP address.

The redirection of Internet traffic is most often done with World WideWeb (WWW) traffic (more specifically, traffic using the HTTP (hypertexttransfer protocol)). However, redirection is not limited to WWW traffic,and the concept is valid for all IP services. To illustrate howredirection is accomplished, consider the following example, whichredirects a user's request for a WWW page (typically an html (hypertextmarkup language) file) to some other WWW page. First, the user instructsthe WWW browser (typically software running on the user's PC) to accessa page on a remote WWW server by typing in the URL (universal resourcelocator) or clicking on a URL link. Note that a URL provides informationabout the communications protocol, the location of the server (typicallyan Internet domain name or IP address), and the location of the page onthe remote server. The browser next sends a request to the serverrequesting the page. In response to the user's request, the web serversends the requested page to the browser. The page, however, containshtml code instructing the browser to request some other WWW page—hencethe redirection of the user begins. The browser then requests theredirected WWW page according to the URL contained in the first page'shtml code. Alternately, redirection can also be accomplished by codingthe page such that it instructs the browser to run a program, like aJava applet or the like, which then redirects the browser. Onedisadvantage with current redirection technology is that control of theredirection is at the remote end, or WWW server end-and not the local,or user end. That is to say that the redirection is performed by theremote server, not the user's local gateway.

Filtering packets at the Internet Protocol (IP) layer has been possibleusing a firewall device or other packet filtering device for severalyears. Although packet filtering is most often used to filter packetscoming into a private network for security purposes, once properlyprogramed, they can filter outgoing packets sent from users to aspecific destination as well. Packet filtering can distinguish, andfilter based on, the type of IP service contained within an IP packet.For example, the packet filter can determine if the packet contains FTP(file transfer protocol) data, WWW data, or Telnet session data. Serviceidentification is achieved by identifying the terminating port numbercontained within each IP packet header. Port numbers are standard withinthe industry to allow for interoperability between equipment. Packetfiltering devices allow network administrators to filter packets basedon the source and/or destination information, as well as on the type ofservice being transmitted within each IP packet. Unlike redirectiontechnology, packet filtering technology allows control at the local endof the network connection, typically by the network administrator.However, packet filtering is very limited because it is static. Oncepacket filtering rule sets are programmed into a firewall or otherpacket filter device, the rule set can only be changed by manuallyreprogramming the device.

Packet filter devices are often used with proxy server systems, whichprovide access control to the Internet and are most often used tocontrol access to the world wide web. In a typical configuration, afirewall or other packet filtering device filters all WWW requests tothe Internet from a local network, except for packets from the proxyserver. That is to say that a packet filter or firewall blocks alltraffic originating from within the local network which is destined forconnection to a remote server on port 80 (the standard WWW port number).However, the packet filter or firewall permits such traffic to and fromthe proxy server. Typically, the proxy server is programmed with a setof destinations that are to be blocked, and packets destined for blockedaddresses are not forwarded. When the proxy server receives a packet,the destination is checked against a database for approval. If thedestination is allowed, the proxy server simply forwards packets betweenthe local user and the remote server outside the firewall. However,proxy servers are limited to either blocking or allowing specific systemterminals access to remote databases.

A recent system is disclosed in U.S. Pat. No. 5,696,898. This patentdiscloses a system, similar to a proxy server, that allows networkadministrators to restrict specific IP addresses inside a firewall fromaccessing information from certain public or otherwise uncontrolleddatabases (i.e., the WWW/Internet). According to the disclosure, thesystem has a relational database which allows network administrators torestrict specific terminals, or groups of terminals, from accessingcertain locations. Similarly limited as a proxy server, this inventioncan only block or allow terminals' access to remote sites. This systemis also static in that rules programmed into the database need to bereprogramming in order to change which locations specific terminals mayaccess.

SUMMARY OF THE INVENTION

The present invention allows for creating and implementing dynamicallychanging rules, to allow the redirection, blocking, or allowing, ofspecific data traffic for specific users, as a function of databaseentries and the user's activity. In certain embodiments according to thepresent invention, when the user connects to the local network, as inthe prior art system, the user's ID and password are sent to theauthentication accounting server. The user ID and password are checkedagainst information in an authentication database. The database alsocontains personalized filtering and redirection information for theparticular user ID. During the connection process, the dial-up networkserver provides the authentication accounting server with the IP addressthat is going to be temporarily assigned to the user. The authenticationaccounting server then sends both the user's temporary IP address andall of the particular user's filter and redirection information to aredirection server. The IP address temporarily assigned to the end useris then sent back to the end user for use in connecting to the network.

Once connected to the network, all data packets sent to, or received by,the user include the user's temporary IP address in the IP packetheader. The redirection server uses the filter and redirectioninformation supplied by the authentication accounting server, for thatparticular IP address, to either allow packets to pass through theredirection server unmolested, block the request all together, or modifythe request according to the redirection information.

When the user terminates the connection with the network, the dial-upnetwork server informs the authentication accounting server, which inturn, sends a message to the redirection server telling it to remove anyremaining filtering and redirection information for the terminateduser's temporary IP address. This then allows the dial-up network toreassign that IP address to another user. In such a case, theauthentication accounting server retrieves the new user's filter andredirection information from the database and passes it, with the sameIP address which is now being used by a different user, to theredirection server. This new user's filter may be different from thefirst user's filter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of a typical Internet Service Providerenvironment.

FIG. 2 is a block diagram of an embodiment of an Internet ServiceProvider environment with integrated redirection system.

DETAILED DESCRIPTION OF THE INVENTION

In the following embodiments of the invention, common reference numeralsare used to represent the same components. If the features of anembodiment are incorporated into a single system, these components canbe shared and perform all the functions of the described embodiments.

FIG. 2. shows a typical Internet Service Provider (ISP) environment withintegrated user specific automatic data redirection system. In a typicaluse of the system, a user employs a personal computer (PC) 100, whichconnects to the network. The system employs: a dial-up network server102, an authentication accounting server 204, a database 206 and aredirection server 208.

The PC 100 first connects to the dial-up network server 102. Theconnection is typically created using a computer modem, however a localarea network (LAN) or other communications link can be employed. Thedial-up network server 102 is used to establish a communications linkwith the user's PC 100 using a standard communications protocol. In thepreferred embodiment Point to Point Protocol (PPP) is used to establishthe physical link between the PC 100 and the dial-up network server 102,and to dynamically assign the PC 100 an IP address from a list ofavailable addresses. However, other embodiments may employ differentcommunications protocols, and the IP address may also be permanentlyassigned to the PC 100. Dial-up network servers 102, PPP and dynamic IPaddress assignment are well known in the art.

An authentication accounting server with Auto-Navi component(hereinafter, authentication accounting server) 204 is used toauthenticate user ID and permit, or deny, access to the network. Theauthentication accounting server 204 queries the database 206 todetermine if the user ID is authorized to access the network. If theauthentication accounting server 204 determines the user ID isauthorized, the authentication accounting server 204 signals the dial-upnetwork server 102 to assign the PC 100 an IP address, and the Auto-Navicomponent of the authentication accounting server 204 sends theredirection server 208 (1) the filter and redirection information storedin database 206 for that user ID and (2) the temporarily assigned IPaddress for the session. One example of an authentication accountingserver is discussed in U.S. Pat. No. 5,845,070, which is fullyincorporated here by reference. Other types of authentication accountingservers are known in the art. However, these authentication accountingservers lack an Auto-Navi component.

The system described herein operates based on user Id's supplied to itby a computer. Thus the system does not “know” who the human being“user” is at the keyboard of the computer that supplies a user ID.However, for the purposes of this detailed description, “user” willoften be used as a short hand expression for “the person supplyinginputs to a computer that is supplying the system with a particular userID.”

The database 206 is a relational database which stores the system data.FIG. 3 shows one embodiment of the database structure. The database, inthe preferred embodiment, includes the following fields: a user accountnumber, the services allowed or denied each user (for example: e-mail,Telnet, FTP, WWW), and the locations each user is allowed to access.

Rule sets are employed by the system and are unique for each user ID, ora group of user ID's. The rule sets specify elements or conditions aboutthe user's session. Rule sets may contain data about a type of servicewhich may or may not be accessed, a location which may or may not beaccessed, how long to keep the rule set active, under what conditionsthe rule set should be removed, when and how to modify the rule setduring a session, and the like. Rule sets may also have a preconfiguredmaximum lifetime to ensure their removal from the system.

The redirection server 208 is logically located between the user'scomputer 100 and the network, and controls the user's access to thenetwork. The redirection server 208 performs all the central tasks ofthe system. The redirection server 208 receives information regardingnewly established sessions from the authentication accounting server204. The Auto-Navi component of the authentication accounting server 204queries the database for the rule set to apply to each new session, andforwards the rule set and the currently assigned IP address to theredirection server 208. The redirection server 208 receives the IPaddress and rule set, and is programed to implement the rule set for theIP address, as well as other attendant logical decisions such as:checking data packets and blocking or allowing the packets as a functionof the rule sets, performing the physical redirection of data packetsbased on the rule sets, and dynamically changing the rule sets based onconditions. When the redirection server 208 receives informationregarding a terminated session from the authentication accounting server204, the redirection server 208 removes any outstanding rule sets andinformation associated with the session. The redirection server 208 alsochecks for and removes expired rule sets from time to time.

In an alternate embodiment, the redirection server 208 reports all orsome selection of session information to the database 206. Thisinformation may then be used for reporting, or additional rule setgeneration.

System Features Overview

In the present embodiment, each specific user may be limited to, orallowed, specific IP services, such as WWW, FTP and Telnet. This allowsa user, for example, WWW access, but not FTP access or Telnet access. Auser's access can be dynamically changed by editing the user's databaserecord and commanding the Auto-Navi component of the authenticationaccounting server 204 to transmit the user's new rule set and current IPaddress to the redirection server 208.

A user's access can be “locked” to only allow access to one location, ora set of locations, without affecting other users' access. Each time alocked user attempts to access another location, the redirection server208 redirects the user to a default location. In such a case, theredirection server 208 acts either as proxy for the destination address,or in the case of WWW traffic the redirection server 208 replies to theuser's request with a page containing a redirection command.

A user may also be periodically redirected to a location, based on aperiod of time or some other condition. For example, the user will firstbe redirected to a location regardless of what location the userattempts to reach, then permitted to access other locations, but everyten minutes the user is automatically redirected to the first location.The redirection server 208 accomplishes such a rule set by setting aninitial temporary rule set to redirect all traffic; after the useraccesses the redirected location, the redirection server then eitherreplaces the temporary rule set with the user's standard rule set orremoves the rule set altogether from the redirection server 208. After acertain or variable time period, such as ten minutes, the redirectionserver 208 reinstates the rule set again.

The following steps describe details of a typical user session:

A user connects to the dial-up network server 102 through computer 100.

The user inputs user ID and password to the dial-up network server 102using computer 100 which forwards the information to the authenticationaccounting server 204

The authentication accounting server 204 queries database 206 andperforms validation check of user ID and password.

Upon a successful user authentication, the dial-up network server 102completes the negotiation and assigns an IP address to the user.Typically, the authentication accounting server 204 logs the connectionin the database 206.

The Auto-Navi component of the authentication accounting server 204 thensends both the user's rule set (contained in database 206) and theuser's IP address (assigned by the dial-up network server 102) in realtime to the redirection server 208 so that it can filter the user's IPpackets.

The redirection server 208 programs the rule set and IP address so as tocontrol (filter, block, redirect, and the like) the user's data as afunction of the rule set.

The following is an example of a typical user's rule set, attendantlogic and operation:

If the rule set for a particular user (i.e., user UserID-2) was such asto only allow that user to access the web site www.us.com, and permitTelnet services, and redirect all web access from any server at xyz.comto www.us.com, then the logic would be as follows:

The database 206 would contain the following record for user UserID-2:ID UserID-2 Password: secret ################ ### Rule Sets ################### #service rule expire http www.us.com 0 http*.xyz.com=>www.us.com 0 telnet    * 0

the user initiates a session, and sends the correct user ID and password(UserID-2 and secret) to the dial-up network server 102. As both theuser ID and password are correct, the authentication accounting server204 authorizes the dial-up network server 102 to establish a session.The dial-up network server 102 assigns UserID-2 an IP address (forexample, 10.0.0.1) to the user and passes the IP address to theauthentication accounting server 204.

The Auto-Navi component of the authentication accounting server 204sends both the user's rule set and the user's IP address (10.0.0.1) tothe redirection server 208.

The redirection server 208 programs the rule set and IP address so as tofilter and redirect the user's packets according to the rule set. Thelogic employed by the redirection server 208 to implement the rule setis as follows:  IF source IP-address = 10.0.0.1 AND  ( ((request type =HTTP) AND (destination address = www.us.com) ) OR   (request type =Telnet)  ) THEN ok.  IF source IP-address = 10.0.0.1 AND  ( (requesttype = HTTP) AND (destination address = *.xyz.com)  ) THEN (redirect =www.us.com)

The redirection server 208 monitors all the IP packets, checking eachagainst the rule set. In this situation, if IP address 10.0.0.1 (theaddress assigned to user ID UserID-2) attempts to send a packetcontaining HTTP data (i.e., attempts to connect to port 80 on anymachine within the xyz.com domain) the traffic is redirected by theredirection server 208 to www.us.com. Similarly, if the user attempts toconnect to any service other then HTTP at www.us.com or Telnet anywhere,the packet will simply be blocked by the redirection server 208.

When the user logs out or disconnects from the system, the redirectionserver will remove all remaining rule sets.

The following is another example of a typical user's rule set, attendantlogic and operation:

If the rule set for a particular user (i.e., user UserID-3) was to forcethe user to visit the web site www.widgetsell.com, first, then to haveunfettered access to other web sites, then the logic would be asfollows:

The database 206 would contain the following record for user UserID-3:ID UserID-3 Password: top-secret ################ ### Rule Sets ################### #service rule expire http *=>www.widgetsell.com  1x

the user initiates a session, and sends the correct user ID and password(UserID-3 and top-secret) to the dial-up network server 102. As both theuser ID and password are correct, the authentication accounting server204 authorizes the dial-up network server 102 to establish a session.The dial-up network server 102 assigns user ID 3 an IP address (forexample, 10.0.0.1) to the user and passes the IP address to theauthentication accounting server 204.

The Auto-Navi component of the authentication accounting server 204sends both the user's rule set and the user's IP address (10.0.0.1) tothe redirection server 208.

The redirection server 208 programs the rule set and IP address so as tofilter and redirect the user's packets according to the rule set. Thelogic employed by the redirection server 208 to implement the rule setis as follows:  IF source IP-address = 10.0.0.1 AND   (request type =HTTP) THEN (redirect = www.widgetsell.com)  THEN SET NEW RULE   IFsource IP-address = 10.0.0.1 AND    (request type = HTTP) THEN ok.

The redirection server 208 monitors all the IP packets, checking eachagainst the rule set. In this situation, if IP address 10.0.0.1 (theaddress assigned to user ID UserID-3) attempts to send a packetcontaining HTTP data (i.e., attempts to connect to port 80 on anymachine) the traffic is redirected by the redirection server 208 towww.widgetsell.com. Once this is done, the redirection server 208 willremove the rule set and the user if free to use the web unmolested.

When the user logs out or disconnects from the system, the redirectionserver will remove all remaining rule sets.

In an alternate embodiment a user may be periodically redirected to alocation, based on the number of other factors, such as the number oflocations accessed, the time spent at a location, the types of locationsaccessed, and other such factors.

A user's account can also be disabled after the user has exceeded alength of time. The authentication accounting server 204 keeps track ofuser's time online. Prepaid use subscriptions can thus be easily managedby the authentication accounting Server 204.

In yet another embodiment, signals from the Internet 110 side ofredirection server 208 can be used to modify rule sets being used by theredirection server. Preferably, encryption and/or authentication areused to verify that the server or other computer on the Internet 110side of redirection server 208 is authorized to modify the rule set orrule sets that are being attempted to be modified. An example of thisembodiment is where it is desired that a user be redirected to aparticular web site until the fill out a questionnaire or satisfy someother requirement on such a web site. In this example, the redirectionserver redirects a user to a particular web site that includes aquestionnaire. After this web site receives acceptable data in allrequired fields, the web site then sends an authorization to theredirection server that deletes the redirection to the questionnaire website from the rule set for the user who successfully completed thequestionnaire. Of course, the type of modification an outside server canmake to a rule set on the redirection server is not limited to deletinga redirection rule, but can include any other type of modification tothe rule set that is supported by the redirection server as discussedabove.

It will be clear to one skilled in the art that the invention may beimplemented to control (block, allow and redirect) any type of service,such as Telnet, FTP, WWW and the like. The invention is easilyprogrammed to accommodate new services or networks and is not limited tothose services and networks (e.g., the Internet) now know in the art.

It will also be clear that the invention may be implemented on a non-IPbased networks which implement other addressing schemes, such as IPX,MAC addresses and the like. While the operational environment detailedin the preferred embodiment is that of an ISP connecting users to theInternet, it will be clear to one skilled in the art that the inventionmay be implemented in any application where control over users' accessto a network or network resources is needed, such as a local areanetwork, wide area network and the like. Accordingly, neither theenvironment nor the communications protocols are limited to thosediscussed.

1. A system comprising: a database with entries correlating each of aplurality of user IDs with an individualized rule set; a dial-up networkserver that receives user IDs from users' computers; a redirectionserver connected to the dial-up network server, an authenticationaccounting server connected to the database, the dial-up network serverand the redirection server; wherein the dial-up network servercommunicates a first user ID and a temporarily assigned network addressfor the first user ID to the authentication accounting server; andwherein the authentication accounting server accesses the database andcommunicates the individualized rule set that correlates with the userID and the temporarily assigned network address to the redirectionserver.
 2. The system of claim 1, wherein the redirection server furtherprovides control over a plurality of data to and from the users'computers as a function of the individualized rule set.
 3. The system ofclaim 1, wherein the redirection server further blocks the data to andfrom the users' computers as a function of the individualized rule set.4. The system of claim 1, wherein the redirection server further allowsthe data to and from the users' computers as a function of theindividualized rule set.
 5. The system of claim 1, wherein theredirection server further redirects the data to and from the users'computers as a function of the individualized rule set.
 6. The system ofclaim 1, wherein the redirection server further redirects the data fromthe users' computers to multiple destinations as a function of theindividualized rule set.
 7. The system of claim 1, wherein the databaseentries for a plurality of the plurality of users' IDs are correlatedwith a common individualized rule set.
 8. In a system comprising adatabase with entries correlating each of a plurality of user IDs withan individualized rule set; a dial-up network server that receives userIDs from users' computers; a redirection server connected to the dial-upnetwork server, an authentication accounting server connected to thedatabase, the dial-up network server and the redirection server, themethod comprising the steps of: communicating a first user ID and atemporarily assigned network address for the first user ID from thedial-up network server to the authentication accounting server; andcommunicating the individualized rule set that correlates with the userID and the temporarily assigned network address to the redirectionserver from the authentication accounting server.
 9. The method of claim8, further including the step of controlling a plurality of data to andfrom the users' computers as a function of the individualized rule set.10. The method of claim 8, further including the step of blocking thedata to and from the users' computers as a function of theindividualized rule set.
 11. The method of claim 8, further includingthe step of allowing the data to and from the users' computers as afunction of the individualized rule set.
 12. The method of claim 8,further including the step of redirecting the data to and from theusers' computers as a function of the individualized rule set.
 13. Themethod of claim 8, further including the step of redirecting the datafrom the users' computers to multiple destinations a function of theindividualized rule set.
 14. The method of claim 8, further includingthe step of creating database entries for a plurality of the pluralityof users' IDs, the plurality of users' ID further being correlated witha common individualized rule set.
 15. A system comprising: a redirectionserver programed with a user's rule set correlated to a temporarilyassigned network address; wherein the rule set contains at least one ofa plurality of functions used to control the user's data; and whereinthe redirection server is configured to allow modification of at least aportion of the rule set.
 16. The system of claim 15, wherein theredirection server is configured to allow modification of at least aportion of the rule set as a function of time.
 17. The system of claim15, wherein the redirection server is configured to allow modificationof at least a portion of the rule set as a function of the datatransmitted to or from the user.
 18. The system of claim 15, wherein theredirection server is configured to allow modification of at least aportion of the rule set as a function of the location or locations theuser access.
 19. The system of claim 15, wherein the redirection serveris configured to allow modification of at least a portion of the ruleset as a function of some combination of time, data transmitted to orfrom the user, or location or locations the user access.
 20. The systemof claim 15, wherein the redirection server is configured to allow theremoval or reinstatement of at least a portion of the rule set as afunction of time.
 21. The system of claim 15, wherein the redirectionserver is configured to allow the removal or reinstatement of at least aportion of the rule set as a function of the data transmitted to or fromthe user.
 22. The system of claim 15, wherein the redirection server isconfigured to allow the removal or reinstatement of at least a portionof the rule set as a function of the location or locations the useraccess.
 23. The system of claim 15, wherein the redirection server isconfigured to allow the removal or reinstatement of at least a portionof the rule set as a function of some combination of time, datatransmitted to or from the user, or location or locations the useraccess.
 24. The system of claim 15, wherein the redirection server has auser side that is connected to a computer using the temporarily assignednetwork address and a network side connected to a computer network andwherein the computer using the temporarily assigned network address isconnected to the computer network through the redirection server. 25.The system of claim 24 wherein instructions to the redirection server tomodify the rule set are received by one or more of the user side of theredirection server and the network side of the redirection server. 26.In a system comprising a redirection server containing a user's rule setcorrelated to a temporarily assigned network address wherein the user'srule set contains at least one of a plurality of functions used tocontrol the user's data; the method comprising the step of: modifying atleast a portion of the user's rule set while the user's rule set remainscorrelated to the temporarily assigned network address in theredirection server.
 27. The method of claim 26, further including thestep of modifying at least a portion of the user's rule set as afunction of one or more of: time, data transmitted to or from the user,and location or locations the user access.
 28. The method of claim 26,further including the step of removing or reinstating at least a portionof the user's rule set as a function of one or more of: time, the datatransmitted to or from the user and the location or locations the useraccess.
 29. The method of claim 26, wherein the redirection server has auser side that is connected to a computer using the temporarily assignednetwork address and a network side connected to a computer network andwherein the computer using the temporarily assigned network address isconnected to the computer network through the redirection server and themethod further includes the step of: receiving instructions by theredirection server to modify at least a portion of the user's rule setthrough one or more of the user side of the redirection server and thenetwork side of the redirection server.